wpa_supplicant 2.3 and multiple authentication with Cisco authenticator

schlandt at web.de schlandt at web.de
Fri Mar 11 07:00:47 PST 2016


Hello,

I could not find information about wpa_supplicant and 802.1x multiple authentication (Cisco). 
I would like to authenticate 18 clients (embedded devices/wired Ethernet) through an unmanaged switch to one Cisco switch port.
The clients use a debian derivate with wpa_supplicant 2.3 handling 802.1x authentication.
It is obvious, that the the clients restart authentication very often e.g. every view seconds: 
Wpa_supplicant sends multicast messages to a group address that all clients subscribes to, that means other clients will get response messages that was not meant for them.
This causes the supplicant PAE state machine to transition from state AUTHENTICATED to state RESTART, the transitions
happens on 'eapolEap&&portValid', "On receiving an EAP-Request frame while portValid is asserted, the Supplicant transitions to the RESTART state." IEEE 802.1X-2004, § 8.2.11.7. However 'eapolEap' is not set when receiving EAP-Request but according to § 8.2.2.2 h,
"eapolEap. This variable is set TRUE by an external entity if an EAPOL PDU carrying a Packet Type of EAP-Packet is
received.". This will work if you have one client, but in our use case we have multiple which means EAP-Packet !=
EAP-Request.

Does anyone has an idea how we could prevent the permanent state changes between AUTHENTICATED and RESTART state?
I would be thankful for any ideas or workarounds.

Best regards,
Paul




More information about the Hostap mailing list